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Abstract. In this paper we investigate to what extent a very simple and natural 
"reachability as deducibility" approach, originating in research on formal meth- 
ods for security, is applicable to the automated verification of large classes of 
infinite state and parameterized systems. This approach is based on modeling the 
reachability between (parameterized) states as deducibility between suitable en- 
codings of states by formulas of first-order predicate logic. The verification of 
a safety property is reduced to the purely logical problem of finding a counter- 
model for a first-order formula. This task is then delegated then to generic auto- 
mated finite model building procedures. In this paper we first establish the relative 
completeness of the finite countermodel finding method (FCM) for a class of pa- 
rameterized linear arrays of finite automata. The method is shown to be at least as 
powerful as known methods based on monotonic abstraction and symbolic back- 
ward reachability. Further, we extend the relative completeness of the approach 
and show that it can solve all safety verification problems which can be solved by 
regular model checking. 



1 Introduction 

The verification of infinite state systems and parameterized systems is, in general, an 
undecidable algorithmic problem. That means the search for efficient procedures to 
tackle the larger and larger subclasses of verification tasks will never end. In this paper 
we investigate to what extent a very simple and natural "reachability as deducibility" 
approach is applicable to the verification such systems. Consider an encoding e:s4 
ip s of states of a transition system S = (S, — >) by formulae of first-order predicate 
logic satisfying the following property. The state s' is reachable from s, i.e. s — >* s' 
if and only if ip s / is the logical consequence of (p s , that is ip s \= ip s > or ip s h cp s i. 
Under such assumptions establishing reachability amounts to theorem proving, while 
deciding non-reachability, becomes theorem disproving. To verify a safety property, 
i.e non-reachability of unsafe states, it is sufficient to disprove a formula of the form 
<fi — > tp. Also, in the case of safety verification already half of the assumption on the 
encoding is suffcient: (s — >* s') => ((p s h (p s >). The task of disproving can be delegated 
then to generic model finding procedures for first-order predicate logic (5). 

Such an approach to verification originated within research on formal methods for 
the analysis of cryptographic protocols 12312211 11151 . Being unaware of these develop- 
ments in the verification of cryptographic protocols and coming from a different per- 
spective we re-invented the finite countermodel finding approach and applied it in a 
different context of verification of parameterized and infinite state systems 1171181191 . 



We show in [ 19] that the parallel composition of a complete finite model finder and 
a complete theorem prover provides a decision procedure for safety properties of lossy 
channel systems O under appropriate encoding. Using a finite model finder, Mace4, 
ll20ll coupled with a theorem prover Prover9 [ 20 ] we successfully applied the method to 
the verification of alternating bit protocol, specified within a lossy channel system; all 
parameterized cache coherence protocols from Q; series of coverability and reachabil- 
ity tasks conserning Petri Nets; parameterized Dining Philosophers Problem (DPP) and 
to parameterized linear systems (arrays) of finite automata. 

Despite the wide range of parameterized verification tasks being tackled success- 
fully by the method, the only result concerning completeness presented so far is that on 
the verification of lossy channel systems [19]. The aim of this paper is to investigate fur- 
ther the completeness of the finite countermodel finding method for much larger classes 
of parameterized verification tasks. Note that we focus here on relative completeness 
with respect to well-known methods. To introduce the method we present as case study 
in Section [3] the details of automated verification of a parameterized mutual exclusion 
protocol, which is an instance of parameterized model defined in Section[2] Further, we 
present an appropriate translation of verification tasks for the parameterized systems 
of finite automata arranged in linear arrays into formulae of first-order predicate logic 
(subsection 14. It . We show, in subsection 14.21 that the proposed finite countermodel 
finding method is at least as powerful as the methods based on monotone abstraction 
and symbolic backward reachability analysis [ 1 ] for this class of verification problems. 
Further, in Section[5]we extend the relative completeness of the approach and show that 
it can solve all safety verification problems which can be solved by a traditional regular 
model checking EH . In Section[6]we discuss related work and Section|7]concludes the 
paper. 

1.1 Preliminaries 

We assume that the reader is familiar with the the basics of first-order logic and algebra. 
In particular, we use without definitions the following concepts: first-order predicate 
logic, first-order models, interpretations of relational, functional and constant symbols, 
satisfaction M \= ip of a formula ip in a model M, semantical consequence <p \= ip, de- 
ducibility (derivability) h in first-order logic, monoid, homomorphism, finite automata 
and the algebraic characterization of regular languages. We denote interpretations by 
square brackets, so, for example, [/] denotes an interpretation of a functional symbol 
/ in a model. We also use the existence of complete finite model finding procedures 
for the first-order predicate logic 1 5 20 1 , which given a first-order sentence ip eventually 
produce a finite model for ip if such a model exists. 

2 Parameterized linear arrays of automata 

The computational model we first consider in this paper consists of parameterized 
systems of finite automata arranged in linear arrays [ 1 1. Formally, a parameterized sys- 
tem V is a pair (Q,T), where Q is a finite set of local states of processes and T is finite 
set of transition rules. Every transition rule has one of the following forms 



- q — »■ q' where q, q' E Q; 

- Q : q — »■ q', where q,q' £ Q and Q is a condition of the form V/ J, or 3/ J 

Here J C Q and / is an indicator of the context, and it may be one of the following: L 
(for Left), R (for Right), or LR (for both Left and Right). 

Given a parameterized system V = (Q,T) the configuration of the system is a 
word c — c\C2 ■ ■ ■ Cn € Q*. Intuitively, the configuration represents the local states of a 
family of n finite state automata (processes) arranged in a linear array, so, for example 
Cj € Q is a local state of automaton at position i in the array. 

For a configuration c = c\ . . . c n , position i : 1 < i < n and a condition, we define 
|=, a satisfaction relation: 

- (c,i) h V L JiffVfc <i c k e J; 

- (c,i) (= VflJiffVfc >i ct e J; 

- (c, i) h Vlr J iff (c, i) h V L J and (c, i) \= V fi J 

- (c,i) |= 3 L Ji& 3k <i c fc e J; 

- (c, i) |= 3 fl J iff 3fc > i c k e J; 

- (c, i) |= 3lrJ iff (c, i) |= 3 L J or (c, i) |= 3^ J 

A parameterized system V = (Q,T) induces a transition relation — >-p on the set C of 
all configurations as follows. For two configurations c — >-p c! holds iff either 

- q — > q' is a transtion in T and for some i : 1 < i < n Cj — q, c[ = q' and 

Vj 7^ i Cj = dp or 

- : g — s- is a transition in T and for some i : 1 < i < n Ci — q, c[ = q' , 

(c, i) p= {? and Vj ^= i Cj = 

The general form of the verification problem we consider here is as follows. 

Given: A parameterized system V = (Q, T), a set In C C of initial configurations, 
a set B C C o/ bad configurations. 

Question: Are there any configurations c E In and c' £ B such that cf is reachable 
from c in V, i.e. for which c — >%, c' holds? 

A negative answer for the above question means the safety property ("not B") holds 
for the parameterized system. 



3 Case study 



3.1 Mutual Exclusion Protocol 

We consider the verification of the parameterized mutual exclusion protocol which was 
used as an illustrative example in [1|. This protocol is specified as a parameterized 
system M.8 — (Q,T), where Q — {green, black, blue, red} and T consists of the 
following transitions: 



- V ' LB,{green, black} : green — > black 

- black — > blue 

- B^iblack, blue, red} : blue — > blue 

- {green} : blue — > red 

- red — > black 

- black — > green 

The set of initial configurations In = green* consists of all configurations with 
all automata in green states. The safety property we would like to check is a mutual 
exclusion of red states, i.e. in any reachable configuration, there are no more than one 
automaton in the red state. The set B of bad configurations is defined then by straight- 
forward regular expression B = Q* red Q* red Q*. 

3.2 First-Order encoding 

We define a translation of the above parameterized system into a set of formulae <P-p of 
first-order logic. The vocabulary of <P-p consists of 

- constants green, blue, black, red and e 

- one binary functional symbol * 

- unary predicates R, G, GB 

Given a configuration c = c\ . . . c n of V define its term translation as t s = ci * . . . * c„. 
It is well-defined modulo the associativity of V which we will specify in the formula, 
and uses an assumption that in the language we have all the elements of Q as constants. 

The intended meaning of atomic formula R(t E ) is that the configuration c is reach- 
able, while G(t 5 ) and GB(t s ) mean c has only automata in green states, and c has only 
automata in green or black states, respectively. 

Let <P-p be a set of the following formulae, which are all assumed to be universally 
closed: 

- (x * y) * z — x * (y * z) 

- e* x — x * e = x 

(* is a monoid operation and e is a unit of a monoid) 

- G(e) 

- G(x) — > G(x * green) 

(specification of configurations with all green states) 

- GB(e) 

- GB(x) — > GB(x * green) 

- GB(x) GB(x * black) 

(specification of configurations with all states being green or black) 



- G{x) R(x) 



(initial state assumption: "allgreen" configurations are reachable) 

- (R((x * green) * y) & GB(x) & GB(y)) -> R((x * black) * y) 

- R((x * black) * y) — > R((x * blue) * y) 

- R((x * blue) * y) & (x = (z * black) * w) —> R((x * blue) * y) 

- R((x * blue) * y) & (x = (z * blue) *w)—t R((x * Mite) * y) 

- R((x * blue) * y) & (a; = (z * red) * u>) — > * blue) * y) 

- * blue) * j/) & G(x) — > i?((x * red) * y) 

- R((x * red) * y) — > R((x * black) * y) 

- R((x * black) * y) — > R((x * green) * y) 

(specification of reachability by one step transitions from T; one formula per transition, 
except the case with an existential condition, where three formulae are used) 

Now we have a key proposition 

Proposition 1 (adequacy of encoding). If a configuration c is reachable in MS then 

$v V- R(t s ) 

Proof By straightforward induction on the length of transition sequences in A4£ □ 
3.3 Verification 

It follows now, that to establish safety property of the protocol (mutual exclusion), it 
does suffice to show that <P-p \f 3x3y3zR((((x * red) *y)* red) * z). Indeed, if, on the 
contrary, some bad configuration c would be reachable, then by Proposition 1 we would 
have for some terms t±, t 2 , t 3 that <P-p h R(t £ ) where t 5 = (((t 1 *red)*t2)*red)*t 3 , and 
therefore <P-p h 3x3y3zR((((x*red) *y) *red) * z). Further, to show non-deducibility, 
it is sufficient to find a countermodel for <P-p —> 3x3y3zR((((x * red) * y) * red) * z). 

Now we propose to delegate this last task to an automated procedure for finite model 
finding, which would search for a finite model for 

<!>-p A -<3x3y3zR{{{{x * red) * y) * red) * z) 

In the practical implementation of this scheme we used a finite model finder Mace4 
1 20 1 , which was able to find a required model in 0.03 seconds. Actual input for Mace4 
and further details can be found in fl8l . 

A priori, to disprove some implication in first-order logic, searching for finite coun- 
termodels may be not sufficient, for such countermodels may inevitably be infinite. 
It has turned out empirically though that for many known parameterized (classes of ) 
problems, finite model finding is, indeed, both sufficient and efficient. In ifTTl we es- 
tablished the first result on completeness of the method for a particular class of infinite 
state verification tasks. Here we demonstrate further results on relative completeness. 



4 Correctness and Completeness 



4.1 First-Order Encoding for General Case 

In the general form of the verification problem above we have to agree what are the 
allowed sets of initial and bad configurations can be, and what are their constructive 
representations. Here we assume that 

- one of the local states q n £ Q is singled out as an initial state, and the set Init of 
initial configurations is always q^, i.e. it consists of all configurations that have all 
the automata in their local initial states; 

- The set B of bad configurations is defined by a finite set of words F C Q*: B = 
{c | 3w £ F A w ^ c}, where w ^ w' denotes that w is a (not necessarily 
contiguous) subword of w'. The elements of such F are called generators of B. 

To illustrate this last point, in our Case Study above, the set of bad configurations B is 
defined by an F consisting of one word with two symbols red red. 

Given a parameterized system V — (Q, T), an intial local state q§ £ Q, a finite set 
of words F, we translate all of this into a set of formulae in first-order logic. 

The vocabulary consists of 

- constants for all elements of Q plus one distinct constant, so we take Q U {e}, with 
e ^ Q as the set of constants; 

- the binary functional symbol *; 

- the unary relational symbol In; 

- the unary relational symbol R; 

- for every condition V/ J in the transitions from T a unary relational symbol P J 

Let <Pp be the set of the following formulae, which are all assumed to be universally 
closed: 

- (x * y) * z = x * (y * z) 

- e* x — x * e = x 

- In(e) 

- In(x) — > In(x * qo) 

- In(x) ->■ R{x) 

For every condition V/ J in the transitions from T: 

- P J (e) 

- wedge qeJ (P J (x) ->■ P J (x * q)) 

For every unconditional transition q\ — \ q 2 from T: 

- R((x * q{) * y) -> R((x * 172) * y) 

For every conditional transition Vl J {q\ — > q 2 ) from T: 

- (R((x * ft) * y) A P J {x)) -> R((x * q 2 ) * y) 



For every conditional transition WrJ (qi — > q 2 ) from T: 



- (R((x * qx) * y) A P J {y)) ->• R((x * q 2 ) * y) 

For every conditional transition VlrJ (<Zi — > Q2) from T: 

- (R((x * Ql ) * y) A P J {x) A P J {y)) -> * <? 2 ) * y) 
For every conditional transition 3l J (qi —> q 2 ) from T: 

- A qeJ {R{x * qi) * y) A (x = (z * q) * w)) -> i?((a; * q 2 ) * y) 
For every conditional transition 3# J (qi — > q 2 ) from T: 

- A qeJ (R(x * gi) * y) A (y = (z * q) * w)) -> * g 2 ) * y) 
For every conditional transition 3lrJ (qi — > 92) from T: 

- A qeJ (R(x * qi) * y) A ((x = (z * q) *w) V (y = (z * q) * w))) -> R((x * q 2 ) * y) 

That concludes the definition of <P-p. Next, for a word w = Wi, . . . , w n G Q* we define 
(up to the associativity of *) the formula ip^ as R(xo * wi * x\ * . . . * x n -i *w n * x n ) 
where xo, . . .x n are variables. Finally, we define <?> as 3x V^g p 4>w (here we assume 
that all variables are bound by existential quantifiers). 
The following generalization of Proposition 1 holds. 

Proposition 2 (adequacy of encoding). If configuration c is reachable in V then <!>-p h 

R(t s ) 

Proof By straightforward induction on the length of the transition sequences □. 

Corollary 1 (correctness of the method). If <&-p \f &f then the answer to the question 
of the verification problem is negative, that is no bad configuration is reachable from 
any of the initial configurations, and therefore, the safety property holds. 

4.2 Relative completeness 

Here we show that on the the class of the verification problems described above our 
proposed method is at least as powerful as the standard approach based on monotone 
abstraction [ 1 ]. Specifically, if for a parameterized system V the approach fU proves a 
safety property, then our method based on finite countermodel finding will also succeed 
in establishing this property, provided a complete finite model finding procedure is used. 

First, we briefly outline the monotone abstraction approach. Given a parameterized 
system V — (Q,T) and corresponding transition relation — on the configurations 
withing V, \\\ defines the monotonic abstraction — s-^ of — >-p as follows. 

We have ci — >p c 2 iff there exists a configuration such that c[ ^ c\ and 

c' -^j> c 2 . 



Such defined — >^ is an over-approximation of — >-p. To establish the safety property, i.e 
to get a negative answer to the question of the verification problem above, [ 1| proposes 
using a symbolic backward reachability algorithm for monotone abstraction. Starting 
with an upwards closed (wrt to X) set of bad configurations B = {c | 3w G F A w ^ 
c}, the algorithm proceeds iteratively with the computation of the sets of configurations 
backwards reachable along — >^ from B: 

-U = B 

- U i+1 =11,1) Pre(Ui) 

where Pre(U) = {c | 3c' G U A c — >^ c'}. Since the relation ^ is a well 
quasi-ordering [1| this iterative process is guaranteed to stabilize, i.e U n +i = U n for 
some finite n. During the computation each Ui is represented symbolically by a finite 
sets of generators. Once the process stabilized on some U the check is performed on 
whether Init R U = 0. If this condition is satisfied then the safety is established, for no 
bad configuration can be reached from intial configurations via — >^ and, a fortiori, via 

Theorem 1 (relative completeness). Given a parameterized system V = (Q,T) and 
the set of bad configurations B = {c \ 3w G F A w ^ c}. Assume the algorithm 
described above terminates with Init PI U = 0. Then there exists a finite model for 

Proof. First we observe that since U G Q* has a finite set of generators, it is a regu- 
lar set. According to the algebraic characterization of regular sets, there exists a finite 
monoid Ai = (M, o), a subset S C M and a homomorphism h : Q* — > A4 from the 
free monoid Q* to M such that U = {w | w G Q* A h(w) G S}. We set M to be 
domain of the required finite model. 

Now we define interpretations of constants: for q G Q [q] = h(q) and [e] = 1_, where 1 
is an unit element of the monoid. 

The interpretation [*] of * is a monoid operation o. We define an interpretation of R as 
[R] = M-S. 

We define an interpretation of In inductively: [In] is the least subset of M satisfying 
1 G [In] and Va; G [In] x o [q ] G [In] . 

An interpretation of P J is defined inductively as follows. [P J ] is a least subset of 
M satisfying 1 G [P j ] and Vx G [P J ] Vq G J x o [q] G [P J ]. That concludes the 
definition of the finite model, which we denote by 9Jt. The key property of the model is 
given by the following lemma. 

Lemma 1. h(w) G [R] iff no bad configuration is — reachable from w. 

Proof is straightforward from the definitions of U, A4, h and [R]. 

It follows immediately that 9JT (= —Hfp. To show that DJl \= <P-p we show that DJl \= <p 
for every <p G For the first seven formulae in the definition of <P-p this involves a 
routine check of definitions. We show here only one case of the remaining formulae 
axiomatizing R. 



To demonstrate 9Jt |= (R((x * q\) * y) A P J (x)) —> R((x * (72) * y) for some 
Vl J (91 — s* (72) in T assume that left-hand side of the implication is satisfied in 9Jt for 
some assignment of the variables. That means there are t\, £2 G M such that t\ *h(qi)* 
t2 6 [R] and t\ 6 [P' 1 ]- Furthermore, there are w\,Wq, G Q* such that t\ = h(w\), 
t<x = h(w2) and no bad states are — ^-reachable from w\ 91 u>2- Now, transition by 
the rule J {qi 92) is possible from 1E\ 91 1B2, resulting in the configuration 
Wi q2 W2, from which it is still the case that no bad configurations are reachable. This 
implies h{wi) h(q 2 ) h(w 2 ) G [R], and therefore ffl \= (R((x * q x ) * y) A P J (x)) -> 
R((x * q2) * y). The remaining cases are tackled in a similar way. □. 

4.3 FCM is stronger than monotone abstraction 

For some parameterized systems the method based on monotone abstraction may fail 
to establish safety even though it may actually hold. The reason for this is a possible 
overapproximation of the set of reachable states as a result of abstraction. A simple 
example of such a case is given in [2]. The parameterized system (Q, T) where Q = 
{qo, qi , q2, #3, 94} and where T includes the following transition rules 

1. V{g ,<7i,<?4} : qo -> qi 

2. qi q2 

3- V L {g } : 92 -> 93 

4. 93 9o 

5. 3 Li? ,{g 2 } : 93 -> 94 

6. 94 93 

satisfies mutual exclusion for state 174, but this fact can not be established by the mono- 
tone abstraction method from [ 1 ]. However, using first-order encoding presented above 
and the finite model finder we have verified mutual exclusion for this system, demon- 
strating that FCM method is stronger than monotone abstraction. Mace4 has found a 
finite countermodel of the size 6 in 341s. See details in lfT8ll and the Appendix. 

The issue of overapproximation has been addressed in [2| where two refinements 
of the monotonic abstraction method were proposed. One resulted in an exact context- 
sensitive symbolic algorithm which allows one to compute exact symbolic representa- 
tions of predecessor configurations, but the termination of which is not guaranteed. On 
the other hand, an approximated context-sensitive symbolic algorithm is also proposed 
and while guaranteed to terminate, may still lead to overapproximation. One can show 
the relative completeness of the FCM method with respect to both algorithms for the 
case of safety verification. In both algorithms the safety is established when a finite 
representation of a set U of configurations backwards rechable from unsafe states, is 
obtained upon an algorithm termination. In both cases such a set U can be shown is 
regular, and therefore one can apply the arguments used in the proof of TheoremQ] We 
postpone the detailed presentation till another occassion, but would like to emphasize 
that the main reason for the relative completeness here is a mere existence of the regular 
sets of configurations subsuming all reachable configurations and disjoint with unsafe 
configurations. 



5 Regular model checking 



The result of the previous section may appear rather narrow and related to a spe- 
cific class of parameterized systems. The verification of safety for this class can be 
re-formulated for, and dealt with the traditional regular model checking approach[21 1. 
In this section we extend our relative completeness result and show that whenever safety 
for a parameterized system can be established by the regular model checking approach 
then it can also be verified by the finite countermodel finding method. 

We start with the basics of the traditional regular model checking approach, bor- 
rowing standard definitions largely from [14]. A finite automaton is a tuple M = 
(Q, E, 6, qo, F), where Q is a finite set of states, E is a finite alphabet, 5 C Q x E x Q 
is a set of transitions, qo £ Q is an initial state and F C Q is a set of final (accept- 
ing) states. M is deterministic automaton if Vg G Q Va G E there esists at most 
one q' such that (q, a, q') G 6. With every finite automaton we associate a transi- 
tion relation — > C Q x E* x Q which is defined as the smallest relation satisfy- 
ing: (1): Vg G Q;q q, (2) if (q,a,q') G 5, then q q', (3) if q -+ w q' and 
q' — s- a q" then q -^ wa q". The language recognized by the automaton M is defined as 
L(M) = {w\3q' G F A A q ^ w q'}. 

Let E be a finite alphabet and e g" E. Let E e = EU {e}. A finite transducer over E is 
a tuple t = (Q, E* xE*,S, q , F), where Q is a finite set of states, 5 C QxE e xE e xQ 
a set of transitions, go G Q is an initial state, and F C Q is a set of final (accepting) 
states. The transition relation — >G Q x E* x E* x Q is defined as the smallest relation 
staisfying: (1) q — > e,c q for every q G Q, (2) if (g, a, 6, g') G S, then g — > a ' b q', and (3) 
if q —t w < u q 1 and g' — > a ' h q", then g — > wa < ub q". With every transducer t we associate 
a binary relation r T = {(w, u) | 3q' G F A go — > w ' u g'}. Let r* denote the reflexive 
and transitive closure of r T . 

The verification of safety properties in the framework of regular model checking 
proceeds as follows. The set of initial states of the parameterized (or infinite state) 
system is presented by an effectively given (by a finite automaton) regular language 
Init. The set of "bad", or unsafe states is described by another regular language Bad. 
One-step transitions of the system to be verified are presented by a transducer relation 
r T (for some finite state transducer r). The verification of safety property ("never get 
into the bad states") is reduced to the following 

Problem 1. Given regular sets Init and Bad and a finite transducer r, does r*(Init) fl 
Bad = hold? 

Regular model checking (RMC) is one of the most general methods for formal veri- 
fication of parameterized and infinite state systems [21 4|. One of the issues with the 
method is that the termination of the computation of transitive closure r*(Init) is not 
guaranteed. To alleviate this issue, various acceleration methods have been proposed. 
We show that the finite countermodel finding method is actually as powerful as any 
variant of RMC, the only assumption to guarantee its termination is the existence of a 
regular set R subsuming r*(Init) and being disjoint with Bad. 



5.1 From regular model checking to first-order disproving 

In this subsection we show how to reduce the generic regular model checking question 
posed in the Problem Q] above to the problem of disproving of a formula from classical 
first-order predicate logic. Solution of the latter problem is then delegated to the generic 
automated finite model finding procedure. 

Assume we are given 

- a finite state automaton Mi = (Qi, £, Si, goi ; Ft) recognizing a regular language 

Init; 

- a finite state automaton M% = (Q2, £, S2, qo 2 ; ^2) recognizing a regular language 
Bad; 

- a finite state length-preserving transducer r = (Q,£* X £*, 5, qo, F) representing 
the transition relation r T ; 

Assume also (without loss of generality) that sets Qi, Q2, Q, £ are disjoint. 
Now define a set of formulae of first-order predicate logic as follows. In fact, it is a 
formalization of the above definition of — > within first-order predicate logic. 
The vocabulary consists of 

- constants for all elements of £ U Qi U Q2 U Q plus one distinct constant e; 

- a binary functional symbol *; 

- unary relational symbols R, Init and Bad; 

- a binary relational symbol Trans; 

- a ternary relational symbol T^ 3 >; 

- a 4-ary relational symbol T^ 4 '; 

Let <I> be the set of the following formulae, which are all assumed to be universally 
closed: 

1. (x * y) * z = x * (y * z) 

2. T (3 \q,e,q) for all g <E Qi U Q 2 ; 

3. T^(q,a,q')fovall(q,a,q') G Si U S 2 ; 

T^{x, y * v,w) 

5. \Z qeFl T^(q 0l ,x,q) ->■ Init(x) 

6. \/qeF 2 T^(q 02 , x, q) -> Bad(x) 

7. T^\x,e,e,x) 

8. T< 4 ) (q, a, b, q') for all (q, a, b, q') e S 

9. ( x , y, z, v) A rW [ v , y\ z', w) -> (x,y * y',z * z',w) 

10. Trans(x,y) O V qeF T (i \q ,x,y,q) 

11. Init(x) -4 

12. A Trans(x, y) -4 fi(y) 

Proposition 3 (adequacy of Init and Bad translations). 

Tjfw € Jmi f/;en <P h Init{t w ) 
IfwE Bad then & h Bad(t w ) 



Proof For w = si, . . . s n € I nit we have w is accepted by the finite automaton 
Mi, which means there is a sequence of states qo 1 ,qt, . . . q n with q n G F\ such that 
(qi, Si, qi+i) G Si for i = 0, . . . n — 1. By the definition of <P (clause 3) all formulae 
T(qi, Si, qi+i) are in Together with clause 4, this gives <P h T(qoi ,t w ,q n ). This with 
OVi G Fi and using clause 5 entails <P h Init(t w ). The second statement is proved in 
the same way. □ 

Proposition 4 (adequacy of encoding). Ifw e r*(Init) then <P h i?(t t0 ) 
Proof. Easy induction on the length of transition sequences. 

- Induction Base Case. Let w G /nit. Then <P h Init(t w ) (by Proposition O, and, 
further, ^ h R(t w ) (using clause 11). 

- Induction Step Case. Let w G r™ +1 (Init). Then there exists w' such that w' G 
r"(Init) and (w',w) G r T . By the induction assumption <P h R{t w i). Fur- 
ther, by an argument analogous to the proof in Proposition [3] (w',w) G r r en- 
tails <P h T(qo,t W ',t w ,q) for some g G F. It follows, using clause 10, that h 
Trans(t W ' , t w ). From this, the clause 12 and the induction assumption <P h ) 
follows. 

Corollary 2. Ifr*(Init) n Bad ^ f/;en <P h 3a;(i?(x) A Bad{x)). 

The Corollary |2] serves as a formal underpinning of the proposed verification method. 
In order to prove safety, that is r*(Init) n Bad — it suffices to demonstrate <P \f 
3x(R(x) A Bad(x)), or equivalently, to disprove <P — > 3x(R(x) A Bad(x)). We dele- 
gate this task to the finite model finding procedures, which search for the finite counter- 
models for $ 3x(R(x) A Bad(x)). 

5.2 Relative completeness with respect to RMC 

As highlighted earlier, searching for finite countermodels to disprove non-valid first- 
order formulae may not always lead to success, because for some formulae counter- 
models are inevitably infinite. In this subsection we show that it is not the case for the 
first-order encodings of the problems which can be positively answered by RMC, and 
therefore such problems can also be resolved positively by the proposed finite counter- 
model finding method, provided a complete finite model finding procedure is used. 

Assume that RMC answers positively the question of Problem [T] above. In the 
RMC approach the positive answer follows from producing a regular set 1Z such that 
r* (Init) C 1Z and 1Z Pi Bad — 0. We show that in such a case there always exists a 
finite countermodel for <P — > 3x(R(x) A Bad(x)). 

Theorem 2 (relative completeness). Let Init and Bad be regular sets given by rec- 
ognizing finite automata M\ and Mi, and r be a finite state transducer. Let <S> be a first- 
order formula defined above. If there exists a regular set 7Z such that r* (Init) C TZ and 
1Z fi Bad = then there exists a finite countermodel for <P — > 3x(R(x) A Bad(x)) 



Proof 

Since 1Z is regular, according to the algebraic characterization of regular sets, there 
exists a finite monoid Ai = (M, o), a subset S C M and a homomorphism h : S* — > 
M such that 1Z = {w \ w £ S* A ft(tu) £ 5}. 

We take M U Q\ U Q2 to be domain of the required finite model, and then define 
interpretations as follows. 

• For a £ £ [a] — h(a); 

• N — 1> where 1 is an unit element of the monoid; 

• [*] is a monoid operation o; 

• Interpretations of T 3 and T 4 are defined inductively, as the least subsets of tuples 
satisfying, respectively, formulae (2)-(4) and (7) - (9)(and assuming all interpreta- 
tions given above); 

• Interpretations of Init and Bad are defined to be the least subsets satisfying (5) and 
(6), respectively (assuming all interpretations above); 

• Interpretation of Trans is defined by (10)(assuming all interpretations above); 

• Interpretation of R is S. 

Now it is straightforward to check that such defined a finite model indeed satisfies 
<P A -Bx(R(x) A Bad(x)). Checking that <P is satisfied is by routine inspection of the 
definitions. To check that -^3x(R(x) A Bad(x)) is satisfied, assume the opposite holds. 
So there exists an element a of the monoid M. such that a 6 [R] and a £ [Bad] . Then, 
for a word w £ S* such that h(w) = a, we have w £ 1Z D Bad ^ 0, which contradicts 
with the assumption of the theorem. □. 

5.3 Optimizations 

In many cases (i.e. in many subclasses of verification tasks), the transition relation 
and/or the sets of 'initial' and 'bad' states are described not by finite state transduc- 
ers/automata, but in more explicit and simpler ways, e.g. by rewriting rules for transi- 
tions and simple grammars generating sets of states. In such a cases, first-order trans- 
lations can be made simpler and the whole procedure more efficient. Our treatment of 
the case of parameterized linear automata in Section @] can be seen as an illustration of 
such a modification. 

5.4 Experimental results 

In the experiments we used the finite model finder Mace4|20| within the package 
Prover9-Mace4, Version 0.5, December 2007. It is not the latest available version, 
but it provides with convenient GUI for both the theorem prover and the finite model 
finder. The system configuration used in the experiments: Microsoft Windows XP Pro- 
fessional, Version 2002, Intel(R) Core(TM)2 Duo CPU, T7100 @ 1.8Ghz 1.79Ghz, 
1 .00 GB of RAM. The time measurements are done by Mace4 itself, upon completion 



of the model search it communicates the CPU time used. The table below lists the pa- 
rameterised/infinite state protocols together with the references and shows the time it 
took Mace4 to find a countermodel and verify a safety property. The time shown is an 
average of 10 attempts. 



Protocol 


Reference 


Time 


Token passing (non-optimized) 


[14] 


0.12s 


Token passing (optimized) 


[14] 


0.01s 


Mutual exclusion I 


1 1 1 and 3 


0.03s 


Mutual exclusion II 


|2| and 4.2 


341s 


Bakery 


|21] 


0.03s 


Paterson - 


|8 1 and 115] 


0.77s 



5.5 Beyond regular model checking 

The method of verification via disproving (countermodel finding) can be applied also 
to classes of problems where traditional regular model checking is not applicable. Con- 
sider, for example, the case where the set of initial states is not regular, so the standard 
algorithms of RMC are not applicable. In the paper [8] an extension of regular model 
checking is proposed, which is capable to tackle some non-regular cases. Not claiming 
any kind of completeness (yet!) we show in this subsection that a case study exam- 
ple from [8 1 can be (partially, as for now) tackled by the finite countermodel finding 
method too. Consider the following string rewriting system over alphabet {0, 1}, which 
is an encoding of the parameterized Paterson mutual exclusion algorithm from [8 |: 

1. xOly ->• xlOy where x E 0*, y E (1 + 0)* 

2. xlOly -» xllOy where x E (1 + 0)*, y El* 

3. xOOly -> xOWy where x, y E (1 + 0)* 

4. xO -> Ox where x € (1 + 0)* 

The safety condition for this rewriting system is 'Starting from any string of the 
form n l™ no string from the set (0 + 1)*00 is reachable' (mutual exclusion of the 
original Paterson algorithm). In (8l it is shown that the extension of RMC proposed 
there can successfully verify the condition. 

Following the translation from the Section|4]we encode the string rewriting system 
into a first-order formula <P. Since the set of initial states is not regular, the formula 
contains a part specifying the generation of initial states by a context-free grammar: 
R(e) A R(x) -> i?((0 * x) * 1). 

In the experiments we failed to verify the correctness condition for the Paterson al- 
gorithm, however, for the reduced string rewriting system Paterson - , containing only 
the rules 1,2,4 we have verified safety condition above. Mace4 has found a finite coun- 
termodel of size 8 in 0.77s. The details can be found in 1 18 1. 



6 Related work 



As mentioned Section 1 the approach to verification using the modeling of pro- 
tocol executions by first-order derivations and together with countermodel finding for 
disproving was introduced within the research on the formal analysis of cryptographic 
protocols. It can be traced back to the early papers by Weidenbach ll23ll and by Selinger 
ll22ll . In ll23ll a decidable fragment of Horn clause logic has been identified for which 
resolution-based decision procedure has been proposed (disproving by the procedure 
amounts to the termination of saturation without producing a proof). It was also shown 
that the fragment is expressive enough to encode cryptographic protocols and the ap- 
proach has been illustrated by the automated verification of some protocols using the 
SPASS theorem prover. In ll22l . apparently for the first time, explicit building of finite 
countermodels has been proposed as a tool to establish correctness of cryptographic 
protocols. It has been illustrated by an example, where a countermodel was produced 
manually, and the automation of the process has not been disscussed. The later work by 
Goubault-Larrecq ifTTl has shown how a countermodel produced during the verification 
of cryptographic protocols can be converted into a formal induction proof. Also, in IfTTl 
different approaches to model building have been discussed and it was argued that an 
implicit model building procedure using alternating tree automata is more efficient in 
the situations when no small countermodels exist. Very recently, in the paper |fl5ll by 
J. Jurgens and T. Weber, an extension of Horn clause logic was proposed and the sound- 
ness of a countermodel finding procedure for this fragement has been shown, again in 
the context of cryptographic protocol verification. Furthermore, in ifTSl an approach to 
the verification of parameterized cryptoprotocols is proposed. 

The work we reported in this paper differs from all the approaches mentioned pre- 
viously in two important aspects. Firstly, to the best of our knowledge, none of the 
previous work addressed verification via countermodel finding applied outside of the 
area of cryptographic protocols (that includes the most recent work |[T3l we are aware 
of). Secondly, the (relative) completeness for the classes of verification tasks has not 
been addressed in previous work. 

The encoding of infinite state systems in first-order predicate logic is used in the 
MCMT deductive symbolic model checker M9I10I . While principles of encoding used 
in MCMT are very much similar to these we consider in the present paper, the verifi- 
cation procedure is quite different. The core algorithm of MCMT relies on a symbolic 
backwards reachability procedure, in which first-order formulae are used for the sym- 
bolic representation of the sets of configuration. During the execution the reachability 
procedure may call the external logic engine (SMT solver) multiple times, up to several 
hundreds for some examples as reported in [9|. In the FCM method we presented here 
the verification procedure is much simpler and is just a reduction (or compilation) to 
a single problem in logic, which then is resolved via single call to the external logic 
engine (finite model builder). 

In a more general context, the work we present in this paper is related to the concepts 
of proof by consistency 116], and inductionless induction [6| and can be seen as an 
investigation into the power of these concepts in the particular setting of the verification 
of parameterized systems via finite countermodel finding. 



7 Conclusion 



We have shown how to apply generic finite model finders in the parameterized verifica- 
tion of linear arrays of finite automata models, have demonstrated the relative complete- 
ness of the method, and have illustrated its practical efficiency. Further, we have shown 
that the verification via finite countermodel finding is at least as powerful as the stan- 
dard regular model checking for the verification of safety properties. Inspection of the 
proofs of relative completeness reveals that the key reason for the completeness is the 
existence of regular sets separating the reachable and bad (unsafe) states. We conclude 
with the very general claim that, for any parameterized system, for which there exists a 
regular set separating reachable and unsafe states, its correctness can be demonstrated 
by a finite countermodel finding method. Formal instantiations of this claim for particu- 
lar classes of problems remains a subject of ongoing and future work. In particular, the 
extension of the results presented in this paper to the case of tree regular model check- 
ing looks quite straightforward. More speculative and intriguing is a possibility to use 
infinite model building procedures [5 ] for parameterized verification. Further investiga- 
tion of practical efficiency and scalability of the method is also an important direction 
for future work. 
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